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ABSTRACT 



A method for providing authentication, authorization and 
access control of software object residing in digital set-top 
terminals creates a fingerprint ("signature") for each soft- 
ware object, associates each fingerprint with a service tier, 
encodes each association and creates an association table 
containing the information and downloads the association 
table to the digital set-top terminal. In addition, the method 
utilizes an entitlement management message, sent to each 
set-top terminal, indicating what software objects the set-top 
terminal may utilize, and provides a system routine at the 
digital set-top terminal that is invoked whenever software 
object is about to be utilized. The entitlement management 
message contains the access rights given to a particular 
set-top terminal, which must match the software object's 
access requirements for the software object to be utilized. 
The entitlement management message may also contain 
set-top terminal resource control access rights that a given 
software object may utilize. When the software object 
requires the utilization of a set-top resource, a second 
conditional access routine may be invoked to determine the 
authorization rights for using the resource. Measures to 
protect such means are also described. As such the method 
provides multiple system cable operators (MSO's) with 
additional capabilities to maintain secure control of features 
and applications running on their networks and within the 
associated set-top terminals. 

31 Claims, 4 Drawing Sheets 
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AUTHORIZATION AND ACCESS CONTROL identity of each software object require authentication but 

OF SOFTWARE OBJECT RESIDING IN SET- *&°> its utilization has to be subject to MSO control via 

TOP TERMINALS authorization permissions along with control of which set- 
top terminal resources a given software object may use. 

m , . ^rTTor. •• i. These measures complement those of object validation and 

This application claims the benefit of U.S Provisional 5 verification and ensure mat software objec ts that have not 

Application No. 60/090,297, filed Jun. 23, 1998. been authenticated are not utilized. To the extent that these 

measures are utilized, the set-top terminal is no longer 

FIELD OF THE INVENTION subject to problems associated with objects that have failed 

A . A . . 4 , ,i j r to follow the security design rules, or worse yet, those which 

The present invention relates generally to a method for 1Q may be ^ t ^ that is meant to cause 

providmg aumonzation, authentication and access control of narm to tne MSO's network and associated set-top termi- 

"executable code'*, or, "software object", which includes but najg, 

is not limited to application code, operating systems and In a particular embodiment of the invention, a method for 

associated components (e.g. dynamic link libraries — providing authorization and access control of software 

DLL's), BIOS, Java Virtual Machine (JVM), Java applica- 5 object residing in digital set-top terminals creates a finger- 

tions and applets, etc., residing in set-top terminals. print (signature) for each software object, associates each 

fingerprint with a service tier, encodes each association and 

BACKGROUND OF THE INVENTION creates an association table containing the information gen- 
erated by the encoding step (note, this table may consist of 

As digital set-top terminals (the General Instrument onc or more association entries). In addition, the method 

DCT5000+, for example), incorporate the capability to 20 sen ds me association table to the digital set-top terminal and 

download different operating systems, DLL's, JVM's ^o transmits a message indicating what software objects 

(Windows CE included), multiple system cable operators me set-top terminal may utilize, to the digital set-top termi- 

(MSO's) need a mechanism that will allow them to maintain nal. Finally the proposed method provides a system routine 

control of the features and applications that run within these at the digital set-top terminal that is invoked prior to 

set-top terminals. More specifically, MSO's want the ability 25 commencing download of the object, once the software 

to access control services and associated usage of software object has been downloaded, or optionally whenever the 

objects in set-top terminals. software object is about to be utilized (or "invoked" if it is 

One known attempt to address the authenticity of code executable code) The system routine uses the association 

objects for the PC environment is Microsoft's "Authenti- table to validate the authenticity of the object (authenticate 

code" capability. This product enables software vendors to 30 ?) to ob J ect abo * t0 be 

j- 1 • * r lv u a * ui j is associated with a corresponding service tier which the 

acquire a digital signature for published executable code. , , . /, / ... ft 4 

4 , , e t\ ,. . \ . ^ ... ! set-top has been authorized for, if not the software object 

Authenticode provides a digital signature with only one doWQ f oad (of utilization) fe not allowed . , f however the 

signer; the code is signed with Microsoft . s private key software object about tQ be downloaded (or utilized) is 

(which is not published) and is verified with Microsoft s associated with a service tier for which the set-top has been 

public key, which is bundled into the Authenticode verifi- authorized, the object download (or utilization) is allowed, 

cation code in the operating system. However, while Ia accor dance with another aspect of the invention, the 

Authenticode provides digital signature protection for software object has been verified and validated prior to the 

executable code, it does not provide any means of deter- recited steps. 

mining access requirements for the executable code for i n accordance with still another aspect of the invention, 

access control purposes (and revenue generation purposes), 40 the transmitted message further indicates which set-top 

and it is applicable only to executable code. terminal resources the software object or the set-top as a 

A second known attempt to address control of Java whole is authorized to utilize, 

applets is "Java Security" which is intended to prevent Yet a further advantage provided by another feature of the 

applets from inspecting or changing files on a client system present invention is that if the software object about to be 

and from using network connections to circumvent file 45 invoked contains the correct fingerprint and authorization 

protections or data privacy measures. However, as is the ri g hts match authorization requirements associated with 

case with Authenticode, Java Security does not offer authen- ^ software object, the method further determines if the use 

tication of any software object unless it is Java based, nor of te ™ ma * resources has been authorized. In one 

j •» ir *i_ • i* **u * r embodiment, 11 a determination is made that the use 01 a 

does it offer the association with access requirements for _ 7^ ! . ^ * " !. ~r " , 

. i 1 4 . ^ 50 set-top terminal resource has been requested, the method 

access control and revenue generation purposes. t *u -j j * *• * *u j* •* 1 

** r r further provides a second system routine at the digital 

Although each of the products described above attempt to set . top terminal, and the second system routine uses the 

address protection and control of software object in a PC transmitted messages to determine if the software object 

environment against unauthorized utilization by a given may utilize the requested set-top terminal resource. In the 

set-top terminal, they do not fully address the issues asso- 5S case where the resource is authorized as in Impulse - 

ciated with authorization, authentication and access control, authorizable resource (by associating it with an impulse tier 

and thus, do not provide an optimal solution that meets MSO in the message), the user is allowed to request an impulse 

requirements. (immediate) authorization of this resource. This prevents the 

subscriber (user) from having to call the MSO's Customer 

SUMMARY OF THE INVENTION go Service Center for such authorization. 

* , . . • ■« , • . r A further advantageous feature of the invention is that if 

As set-top terminals assume a computing environment for lL " , " ^ ~\ " \, ~r , , A \ 

« A . , . . K f j . 1 c* the software object about to be utilized does not contain the 

entertainment purposes by utilizing downloadable software . ^ J . . c . u . . . . 4 , 

,. « i . J . i*. T Tr^i correct fingerprint, the software object is not executed, 

objects such as operating systems, libraries, Java Virtual 0 r J 

Machines, applications, applets, etc., it becomes extremely BRIEF DESCRIPTION OF THE DRAWINGS 

critical to protect and control the software object to guard 65 FIG. 1 is a simplified block diagram illustrating the 

against unauthorized utilization by a given set-top terminal. logical paths of a cable system relevant to the description of 

In accordance with the proposed concept, not only does the the invention. 



05/12/2004, EAST Version: 1.4.1 



US 6,256,393 Bl 

3 4 

FIG. 2 is a simplified flow chart illustrating the steps Referring to the flow chart of FIG. 2, in step 10, a 

performed by a multiple system cable operator (MSO) to "fingerprint"; i.e., a digital signature, is created for each 

provide authorization and access control of software object software object (e.g., applications, OS's, DLL's, JVM's, 

in set-top terminals. Java applications and applets, etc.). The fingerprint 

FIG. 3 is a simplified flowchart illustrating the steps 5 (signature) of the softoare object serves as a unique Entitle- 

performedby a CondJUonal Access (Coroutine, at a set-top m K enl Of** R ^ < EC *) ; Fo , r exam £ e ' ea f 

terminal, upon invoking software object. ob J ecl the MSO wants to place in his category i.e., 

. t ._ ° n , ^ .« . t . i under access control, is associated with a fingerprint . Note 

FIG. 4 is a simplified flowchart illustrating the addition^ ^ ^ fi rim ^ sh& x be a ^ for a k mal 

steps performed by a second Conditional Access (CA) ^ be eQC ^ pted by means , or , it C01lld be a value 

routine in another embodiment of the invention. ^ fc deriv J£ om / n initial value mrough processing it as 

DETAILED DESCRIPTION OF THE an image or otherwise (i.e., the fingerprint may include 

INVENTION object size, checksum, etc.). 

, , u . . . . , . j . * a In particular, the fingerprint (a digital signature) may be 

Multiple system cable operators need to extend access r . «, ' * .> . t . /. ' 

* i lVi- • * * 1 *l LT* , j 15 generated by a software/HW object authentication/signature 

control capabilities, i.e., to control the ability to access and 1J 5 • t^- ■ * * * *u a w * 

F • . ' . * * * -i ui rj device (OASD). This is performed after the software object 

use software objects in set-top terminals capable of down- .~ v . , i.j . j , ,u u • *• * *• 

. ,. « • . , . 1 . .-I- • ii * • , «o .* • is verified and validated (either through inspection, testing, 

loading such objects and later utilizing these objects if their . A . e . . \ . . J r f 

, * . , J . , ■ » j j ti. * tL etc. the details of which are outside the scope of this 

download and use is authorized and the objects pass authen- .. . . . . r ■« *• j 

ticat'on checks application). The intent of the software verification and 

. 20 validation is to ensure that the design and implementation of 

Access control of a software object, m accordance with me object foHows a p re ^p ecified sel 0 f rules and require- 

one aspect of the invention, consists of three parts. The first mems ^btishtd for security purposes. This may be done 

defines the access requirements for a particular service (and coniTZCi to me MS0 (detai3s of which are ^ outside 

associated objects) and the second defines the authorization me scope of this application) . ^ mrQ may be based on 

rights for a particular set-top terminal to access these ser- a ^ (wMch Qf not be MS0 .specific) object 

vices (and associated objects). The third provides additional identifler ^ a crvplographic CRC of the object ^ Kives 

identification information to enable the set-top terminal to ^ a form of ^cadon mat is unique to the software object 

authenticate the objects pnor to their utilization. The access ilself (sevefal conventional signirjg techniques may be 

requirements may be considered as the lock, and the autho- loyed? me delails of which however arc outside the 

rization rights may be considered as the key. When the 3Q of ^ applicalion) . jf objects m 

authorizaUon rights match the access rights (and no parental ^ciated wilh a service, each may be associated with a 

control is required), the set-top terminal is allowed to access sigoaturej and then ^ overall signature may be provided for 

the service (and associated objects). me entire ^ whenever authentication of this higher level 

There are two types of messages that facilitate the access association is desired, 

control function. First, the Entitlement Control Message 35 Continuing to step 20 of FIG. 2, the fingerprint of each 

(ECM) delivers the Entitlement Control Structure (ECS) software object fa men associated ^ a MIvice tier B oth 

(explained in further detail below) which contains the sa telhte and cable access control systems utihze the concept 

Entitlement Control Record (ECR) (also explained in detail of « tiering » For audiovisual services, a tier is a logical 

below) for the associated objects and lists the entitlement gK)Uping of programs or services (the degenerate case being 

information required for program viewing or object(s) use. ^ a single program or service). The grouping is created to 

The second message, the Entitlement Management Message facilitate control of the user's (subscriber's) access to that 

(EMM) delivers the entitlements purchased by or granted to group of based upon me msq's subscriber profile 

the consumer. The functions of each of these messages are ^ which MpdM afe subscribed to by a gi ven consumer), 

desenbed in greater detail below. ^ access of ^ ^ wou]d demand a great deal of 

The following provides an outline of how software 45 memory in the set-top terminal if the access rights were 

objects are authorized to run (post authentication). All stored as separate flags for each and every program or object 

software objects that are not authorized (and authenticated) available. The tiers are typically represented as single binary 

in this manner will not be usable by the set-top terminal. In digits (bits) that can be defined and redefined dynamically, 

the event that all preventive measures intended to keep Smce each tier (or group) is represented as a single bit and 

unauthorized software objects from residing within the 50 the tiers are defined to be relevant to the service offering at 

set-top terminal fail, this approach aids in detecting such a gj ven poul t m time, they offer the most compact repre- 

applications and in preventing their utilization or execution. sentation possible for the user's access rights (compactness 

In the digital set-top terminal, the utilization of all soft- is very important, since the access rights must be kept in 

ware objects (including applications associated with a given secure memory, which is limited, and must be transmitted 

service) must be authorized by the access control system. 55 frequently, and as such bandwidth requirements are 

The software object is specified to consist of downloadable minimized). One or more objects may be associated with a 

code or data that may be utilized in the set-top terminal at given service/application and assigned the corresponding 

either the subscriber's or the MSO's will. tiers. Additionally, while such authorization rights may be 

First, as illustrated in the block diagram of FIG. 1, an stored on a server at the other end of the network (as opposed 

Object Authentication Signature Device 300 (OASD) uti- 60 to at the set-top terminal), where a set-top terminal may 

lizes either a National Access Controller 310 (NAC) (in the query its rights by communicating with the server in real 

national control scenario) or a Local Access Controller 320 time, it is typically advantageous to distribute this informa- 

(LAC) (in the local control scenario) to interact with a tion within the set-top terminals for security, robustness, 

number of set-top terminals 350a, 350b, etc. The details of performance, as well as minimizing single point of failure 

the interactions of each of these devices are described in 65 effects. Once the event (or "program") terminates, or once 

detail below in connection with the detailed description of the object(s) is no longer offered as part of a particular 

the invention. service, the tier definition will be updated to reflect this 
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change. The authorization tiers for which the subscriber has respectively, and is downloaded to the digital set-top termi- 

been authorized are conveyed in a corresponding Entitle- nal (either in its entirety, or one entry at a time in an 

ment Management Message (EMM) (described in further appropriate message, when downloading). Whenever the 

detail below in the description of FIG. 1, step 50). Downloader downloads protected software objects it pro- 

In apreferred embodiment of the invention, there are two 5 vides the digital set-top terminal with the secret "software 

typesof tiers, the first, a Subscription tier which is associated object fingerpnnt to service tier association (ECS), which 

with a service (and corresponding objects) that continues » ^rypted by known means before transnns- 

. . v - 4 . j ... . J ' , . , - sion. The Downloader downloads the software object m a 

over a duration of time and which is purchased ahead of carousc , f&shion ^ , he £CS k ^ associatcd J ECM>S 

actual use. The second, an Impulse Pay Per Use Uer (IPPU, be ^ mdependenfl j, B ^ be appre ci a ted by those 

analogous to the Impulse Pay Per View for video 10 m ^ ^ ma , ^ ^ dence ovides „ addi . 

programming), allows for an impulse purchase of an object Uonal ^ mMSUre 

or set of objects associated with a given service/application . .. . ' . A . . . ,. .. ... , ... 

and may have a time duration associated with it. It will be . ApphcMh note tha t in an alternative embodiment of the 

appreciated by those skilled in the art that other usages, m ™ D ? on ' ,f M *"? n ?S" " '™ TJ- ' \ ™ Tlr'i 

combination or conditional, can be based on these two tiers. 15 effectively consist of the ECR only (i e., step 20 of FIG. 2 

_ . . . ' „ . _ , is not performed). The ECS in such an embodiment is 

Referring once again to step 20 in FIG 2, more piggybackcd onto ^ doW nloaded object. The set-top ter- 

specincaUy,lhefir«e^rpnnttosemcelier^ciaaonmay be mmal examines tbe ECS , 0 form ^ authenticatioD 

assigned by the MSO's access controller (Access Contro er checfc ^ se( . t download downloads me first N 

^9ox for r H *? 0n ? CoaU °\ ° r Dl ? tal ^. CCeSS C ? ntro ", e A r M bytes of the object (as indicated by the header information 

DAC) for local control) via the addition of a CA 2° accompanying the downloaded object) and ignores the trail- 

(conditional access) subtending signature functionality spe- ■ b ^ es tQa( ^ ^ ECS Ho wever, the preferred 

cific to objects associated with i MSO s network. This func- embodimen , described above ^ preferab i e , 0 ^ embodi . 

Hon can be facilitated by OASD when it is acting as a ment for tWQ rcasons . ^ ^ ^ of me £CS to , he 

subtending device to the MSO s AC or the DAC As object nmQycs a desiraWe sccurft me and xcood 

previously mentioned OASD funcUonahty may be embod- « mis embodiment intro duces inconsistent processing between 

led in an independent device (software and 'hardware^ which m ECS which contains only the ECR and that which 

in turn would communicate with the AC or the DAC to the £CR and the ^ association . ^ 

obtain the access requirement assignments (corresponding preferred embodimenl howeV er does not restrict how the 

tiers for that object) ECS fflay be conveyed) nor does it restrict tne Ecs t0 the 

The additional MSO specific signature takes the signature type 0 f message that specifies it (EMM or some other control 

of a previously signed object (i.e., the fingerprint or "digital message). 

signature" generated by the OASD) and adds to it a unique ^ retumi to ^ descriptioll of step 40 of hq. 2( the 

object identifier (if an MSO-specific object identifier is Down i oader may be part 0 f th e A C or the DAC since it can 

requnxd). It also adds any one or more enhtlement tier bits, be viewcd as , software task> of ^^y^ it can bc 

which define the access requirements associated with tbe te fmm me DAC . a software Usk on its 

corresponding software object, and an envelope signature own j^yy platform 

for the entire structure preferred to hereafter as the entitle- ^ MSQ ^ me AC Qr ^ DAC ^ mHW ^ 

ment control^cture (ECS). Tnis unique and secret encod- §w devices) yk * rameter setti bmin ^ 

ing of the ECS is shown m step 30. ^ ^ ^ J Q ^ profi £ ^ controIs ^ ^ 

The ECS may contain the access requirements for the terminal access to a specific service and associated object or 

object and associated resources or it may be partitioned into set of ob j ecU by ^g me previous i y mentioned Entitlement 

two ECS'S, one for the access requirements for the object Management Messages (EMM's) specific to that set-top 

and another for the resources. The latter approach is typi- terminal. These messages also establish whether the set-top 

cally a more appropriate approach if the resource authori- 45 tenQiDal is to utilizc ^ nfawc ob j cct ^ may 

zation is independent of a given object and is being per- also specify which ^ terminal resources (e . g ^ commu . 

formed on a set-top wide basis. However, either approach nication ports> printer port> keyboard> etc .) me object is 

may be utilized (i.e., a combined ECS or two separate akmtd to ^ (when ^b^b^ levcl cotltrol is desired)> 

ECS*s) and has no impact on how the authorization steps are Additionally, the AC or the DAC may selectively assign an 

performed. 5Q impulse authorization tier (and convey the setting via the 

The cost and free-use period, along with global set-top same message) to facilitate immediate authorization of the 

terminal resource restrictions, for example, may be assigned requested resource when the subscriber explicitly requests 

by this device as specified by the AC or the DAC (which in that the resource be authorized. In the case where a resource 

turn may be specified via the Billing System interface). is authorized as in Impulse-authorizable resource (by asso- 

These parameters are also conveyed as part of the ECS S5 ciating it with an impulse tier in the message), the user may 

within the ECM. request an impulse (i.e., immediate) authorization of this 

The functionality of the OASD and the MSO's signing resource, thereby preventing the subscriber (user) from 

and creation of the ECS (steps 10-30) may be combined into needing to call the MSO for such authorization, 

a single device, subtending to the AC or the DAC, as the Finally, in step 50, The AC or the DAC sends the EMMs 

preferred embodiment since it is the simpler case. Either eo to each and every set-top terminal to enable it to download 

way, the physical product partitioning shouldn't alter the and utilize the objects) (more specifically, when resource 

functional steps that need to be performed (it may optimize control is desired for a single object globally across all 

these steps however). set-tops, the permission list for the resource control may 

tanunuing to step 40 of FIG. 2, at the MSO, the collec- reside in the ECS; otherwise the permissions (access rights) 

tion of unique ECS's form an association table, that is made 65 are conveyed to each set-top individually in an EMM). The 

available to a national or local download function Access Controller (or DAC) then sends the entitlement to 

(Downloader) associated with the AC or the DAC, the set-top terminal that is authorized to receive this service 
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and associated objects (again, these entitlements are software object is downloaded (step 130) and as shown in 

assigned in the previously descried EMM's). step 140, the Conditional Access (CA) routine determines if 

A system routine is created and provided in the set-top the set-top terminal is authorized to use/launch the software 

terminal, and is invoked whenever the set-top terminal is to ob j ect - Based 0D determination, the software object may 

check the authorization rights and authenticity of the soft- 5 or ma y not bc utilized. All unauthorized software objects 

ware objects associated with the requested service. This wiJ1 not have a corresponding tier association. The encoded 

system routine may be part of the core code (BIOS) in the "fingerprint of the software object to tier value" association 

set-top terminal. It may also be provided within the operat- (ECS) of ^ software object (or "application" in this 

ing system (OS), or middleware. When downloading the example) is known only to the MSO and by definition is 

operating system, or the JVM for example, the resident ™ unique to each software object and is protected, 

routine is invoked to check authorization rights prior to Accordingly, if a determination is made in step 140 that the 

download and if so authenticate these objects post down- set-top terminal has not been authorized to use/launch the 

load. A second authorization stage may also be present (for software object, the process continues to step 140, where the 

some objects) to check if utilization/launch of these objects software object is not downloaded (or utilized). If the tier 

is allowed. Once the operating system is loaded, any sub- 15 corresponding to the software object has been authorized 

sequent object utilization that involves the operating system however, the process continues to step 150. 

or the JVM invokes the equivalent authorization and authen- Continuing to step 150, the CA routine, again with the 

tication routine in the OS. assistance of the secure processor, checks to see if the 

More specifically, the set-top terminal authenticates and software object has the corresponding fingerprint associa- 
authorizes a downloaded object using the EMM's and 20 tion. Depending on the result, the software object may or 
ECM's associated with a given set-top terminal and object may not be utilized. For example, all unauthorized software 
respectively. The set-top may check the authorization rights objects will not have a corresponding fingerprint (since an 
against the authorization requirements of the software object unauthorized software object cannot "guess" the corre- 
prior to downloading the object, upon downloading the sponding ECR value). In that case, the process continues to 
object, or whenever the object is about to be utilized. 25 ste P 160 > where tne software object is not used. The pro- 
Subsequent authorization checks are optional. FIG. 3 is a tected fingerprint of the software object is known only to the 
flowchart illustrating the steps performed at a set-top termi- Ms0 bv definition is unique to each software object. If 
nal upon invoking software object. ^ software object has the corresponding fingerprint asso- 

In FIG. 3, step 100 is the download request. Accordingly, an ciation however, the process continues to step 170, where 
in step 110, the BIOS, operating system and/or the Java 30 4e set " t0 P terminal authorizes and authenucates the down- 
Virtual Machine (JVM), when requiring the download or the loaded ob J ect - 

use of a software object, call(s) the set-top CA routine for an It will be appreciated by those skilled in the art that each 

authentication and authorization check. The use or launch of of the authorization steps illustrated in steps 140 and 200 of 

the object is allowed only if the check passes. The CA check FIG. 3 are optional and are not necessarily performed. In 

is facilitated by the secure processor. In addition, a lifetime 3 addition, although the authorization check performed in step 

feature may be implemented, wherein the secure processor 200 continues to step 210 and then to the authentication of 

records the object lifetime and checks it for expiration, step 150, additional subsequent checks could be performed 

starting for example with first use (i.e., the first time the by the CA routine and are weD within the scope of the 

secure processor was engaged in authenticating and autho- ^ invention. 

rizing the object). When expired, it may interrupt the oper- In addition, in a second embodiment of the invention, if 

ating system or JVM to disable/delete the object(s). If any of the software object requires the utilization of a given set-top 

the checks fail, the set-top terminal may log the results to terminal resource, a similar checking process to determine if 

report back to the access controller. Again, this feature is a the software object has permission to use the required 

combination of software and hardware functions. ^ resources may occur. These permissions (authorization 

More specifically, returning to FIG. 3, in step 120 a rights) may be associated with a given object for all set-top 

determination is made as to whether or not there is a need to terminals or may be associated with a given object for a 

check authorization rights. If not, as shown in FIG. 3, in step specific set-top terminal. The authorization rights to use the 

130, the software object may be downloaded to the set-top set-top terminal resources are conveyed in a similar manner, 

terminal prior to any authorization. However, if so, in step 50 via EMM's. 

200 the Conditional Access (CA) routine, before download- As noted above, the authorization rights may also be 

ing the object, may determine if the set-top terminal is designated as Impulse tiers to indicate that the subscriber 

authorized to download the object. This step is optional and may request the immediate authorization of the Impulse 

may depend upon the nature of the software object (i.e., autho rizable resource. The set- top in turn checks the request 

some objects are necessary and may not require this prior ss in a similar manner and if the Impulse tier is set, it registers 

authorization). If the step is performed, and if a detennina- the authorization as having taken place (for possible subse- 

tion is made that the set-top terminal is authorized to quent billing purposes). 

download the object, the process continues to step 210. If Each of these options is shown in FIG. 4 where in step 

however, a determination is made in step 200 that the set-top 122, a determination is made as to whether a set-top terminal 

terminal is not authorized to download the object, the 60 resource is requested by the software object (if software 

process continues to step 150, where the object is not object has requested resource utilization via the OS). If step 

utilized. 122 determines that a valid set-top terminal resource has not 

In Step 210 the software object is downloaded to the been requested, no further action is taken, 

set-top terminal and the process continues to step 150 for if however step 122 determines that a valid set-top 

authentication, described in further detail below. 65 terminal resource has been requested, the process continues 

Alternatively, again if a determination was made in step to step 124 in which the OS invokes the driver associated 

120 that there was no need to check authorization rights, the with the requested set-top terminal resource. Continuing to 
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step 126, the associated driver (upon the first use only of the tions and variations of the present invention are covered by 

resource) invokes a "second Conditional Access routine" the above teachings and within the purview of the appended 

(which may be part of BIOS or the operating system) to claims without departing from the spirit and intended scope 

determine if the requesting software object is allowed to use of the invention, 

this resource. More specifically, the driver routine calls the 5 What is claimed is: 

second access control routine which, in conjunction with the 1. A method for providing authorization and access con- 
secure processor, determines whether the software object trol of software object residing in digital set-top terminals, 
may utilize the requested resource (i.e., determines if it is comprising the steps of: 

authorized for such use). The resource usage authorization creating a fingerprint for each software object; 

rights are stored in secure memory as well. Specifically, in J{) associating each fingerprint with a service tier; 

step 128 it is determined if the EMM provided permission to encoding each association made in said associating step; 

use the requested resource. If the EMM did not provide such crea ting an association table containing the information 

permission, the process disallows the use of the requested generated in said encoding step; 

resource (step 130) (i.e., the control goes back to the driver downloading the association table to the digital set-top 

and then the OS with a negative result, indicating that use of ^ terminal; 

the requested resource is not allowed). However, if the transmitting a message, providing an indication of what 

EMM provided permission, the utilization of the requested software the set-top terminal may utilize, to the digital 

set-top resource is allowed in step 132. set-top terminal; and 

In addition, in the case where the permissions are set as providing a system routine at the digital set-top terminal 

Impulse tiers (requiring an explicit request from the user for 2Q that is invoked whenever software object has been 

the authorization to take effect), the routine grants the downloaded or is about to be utilized, 

authorization and registers the Impulse request within the wherein the system routine uses the association table to 

secure processor (for possible subsequent billing purposes determine if the software object about to be invoked 

via a report back mechanism to the AC or the DAC). has been authorized for the set-top terminal. 

In a still further aspect of a preferred embodiment of the ^ 2. The method of claim 1, further wherein the software 

invention, the driver associated with a requested resource object has been verified and validated prior to the recited 

may invoke the second CA routine only upon the first use of steps. 

the resource by the software object, wherein subsequent 3. The method of claim 1, further comprising the steps of : 

invocations of the second conditional access routine are recording a lifetime of the software object; and 

optional. 30 starting with a first use, checking the lifetime of the 

Finally, it will be appreciated by those skilled in the art software object for expiration, 

that various methods may be implemented in order to detect 4. The method of claim 3, wherein if a determination is 

any tampering to circumvent the processes described above. made in said checking step that the software object lifetime 

These methods may include periodic background checks of has expired, further comprising the step of disabling the 

the software object memory, fingerprint (which may include 35 software object. 

memory size, checksum, etc.), including the set-top terminal 5. The method of claim 1, wherein if a plurality of 

core BIOS, Operating System, etc., against pre-calculated software objects are associated with a service, further com- 

and protected values for each. Specifically, for example, the prising the step of: 

set-top terminal's secure processor in conjunction with the creating a fingerprint for the plurality of software objects 

user processor can perform a memory checksum on certain 40 as a group. 

critical components of the software. This may be done 6. The method of claim 1, wherein the transmitted mes- 

whenever the user processor and the secure processor have sage further indicates which set-top terminal resources the 

sufficient idle time to perform this function in order to software object is authorized to utilize, 

minimize adverse performance effects on other functions. It 7. The method of claim 6, wherein an impulse authori- 

may also be invoked at the operator's request via a received 45 zation service tier may be assigned to facilitate immediate 

command message (from the MSO's controller), in the event authorization of a resource. 

that the MSO wants to verify the integrity of the software as 8. Hie method of claim 7, wherein the impulse authori- 

part of a trouble shooting or monitoring process. The secure zation service tier has a time duration associated with it. 

processor has the cryptographic checksum of the software 9. The method of claim 1, farther wherein the transmitted 

component to be checked. The user processor, under the 50 message in said transmitting step provides the indication by 

operating system's control, passes the memory segments setting the corresponding service tiers, 

comprising this object to the secure processor. 10. The method of claim 1, further wherein if the service 

If the secure processor determines that the check has tier has not been authorized, the software object is not 

failed, it may embody the status in an encrypted format, executed. 

which is incorporated in a message that is sent to the MSO's 55 11. The method of claim 1, further wherein if the service 

controller. The reliance on the user processor for this pur- tier has been authorized, the system routine checks deter- 

pose may be minimized to ensure that these operations can mines if the software object about to be utilized passes a 

not be intercepted. In addition, in the event that tampering or corresponding fingerprint check. 

a transmission error (in either case, a "deviation") is 12. The method of claim 11, wherein if the software object 

detected, additional indications may be provided, for so about to be utilized passes the corresponding fingerprint 

example, flagging the set-top terminal's unique address to check, further comprising the step of: 

the MSO/headend to shut off all or some of the subscriber's determining if the use of a set-top terminal resource has 

services, notifying a local or national Access Control Center been requested. 

of the event, the time, the unique set-top terminal address, 13. Hie method of claim 12, wherein if a determination is 

geographic location, etc. 65 made in said determining step that the use of a set-top 

Although various embodiments are specifically illustrated terminal resource has been requested, further comprising the 

and described herein, it will be appreciated that modifica- step of: 



05/12/2004, EAST Version: 1.4.1 



US 6,256^93 Bl 



11 



12 



15 



providing a second system routine at the digital set-top 
terminal. 

14. The method of claim 12, wherein if a determination is 
made in said determining step that the use of a set-top 
terminal resource has been requested, further comprising the 
step of: 

determining if it is the first time that use of the set-top 
terminal resource by the software object has been 
requested, 

wherein if it is the first time that use of the resource has 
been requested, providing a second system routine at 
the digital set-top terminal. 

15. The method of claim 13, wherein the second system 
routine uses the transmitted messages to determine if the 
software object may utilize the requested set-top terminal 
resource. 

16. The method of claim 11, further wherein if the 
software object about to be utilized does not have a corre- 
sponding fingerprint, the software object is not executed. 

17. The method of claim 1, wherein the fingerprint of the 20 
software object residing in the set -top terminal is periodi- 
cally compared to a reference value and an indication of a 
deviation is provided. 

18. A method for providing authorization and access 
control of applications executing in digital set-top terminals, 25 
comprising the steps of: 

associating each application with a service tier, 
encoding each association made in said associating step; 
creating an association table containing the information 

generated in said encoding step; 
downloading the association table to the digital set-top 

terminal; and 

providing a system routine at the digital set-top terminal 
that is invoked whenever an application is invoked, 
wherein the system routine uses the application asso- 
ciation or the association table to determine if an 
invoked application is associated with a service tier, 
and 

wherein if the invoked application is not associated 40 
with a service tier, the application is not utilized. 

19. The method of claim 18, further wherein if an invoked 
application is associated with a service tier, the system 
routine further determines if the tier corresponding to the 
service/application has been authorized. 

20. The method of claim 18, wherein when set-top ter- 
minal resource control is desired for a single application 
across all set-tops, further comprising the step of: 

providing an indication of the set-top terminal resource 
control in the encoded associations, wherein a second 
system routine uses the association table to determine 
if the software object may utilize the requested set-top 
terminal resource. 

21. The method of claim 18 wherein set-top terminal 
resource control indications are conveyed to each set-top 
individually. 

22. The method of claim 18, wherein the software 
memory size of critical software components of the digital 
set-top terminal are periodically compared to a reference 
value and an indication of a deviation is provided. 

23. The method of claim 18, wherein the software size of 
the operating system of the digital set-top terminal is peri- 
odically compared to a reference value and an indication of 
a deviation is provided. 



30 



35 



45 



55 



60 



24. The method of claim 18, wherein the software object 
memory size of the application code image in the digital 
set-top terminal is periodically compared to a reference 
value and an indication of a deviation is provided. 

25. The method of claim 18, wherein the checksum of 
critical software components of the digital set-top terminal 
is periodically compared to a reference value and an indi- 
cation of a deviation is provided. 

26. The method of claim 18, wherein the checksum of the 
operating system of the digital set-top terminal is periodi- 
cally compared to a reference value and an indication of a 
deviation is provided. 

27. The method of claim 18, wherein the checksum of the 
software object in the digital set-top terminal is periodically 
compared to a reference value and an indication of a 
deviation is provided. 

28. A system for providing authorization and access 
control of software object residing in digital set-top 
terminals, comprising: 

a multiple system cable operator site comprising: 
means for creating a fingerprint for each software 
object; 

means for assigning each fingerprint to a service tier; 

encoding means for encoding each association made in 
said associating step; 

means for creating an association table/message con- 
taining the information generated in said encoding 
step; 

means for downloading the association table to the 
digital set-top terminal; 

means for transmitting a message, providing an indi- 
cation of what software the set-top terminal may 
utilize, to the digital set-top terminal; and 
a digital set-top terminal comprising: 

a system routine that is invoked whenever software 
object has been downloaded or is about to be 
utilized, 

wherein the system routine uses the association table/ 
message to determine if the software object about to 
be invoked has been authorized for the set-top ter- 
minal. 

29. The system of claim 28, wherein said means for 
creating a fingerprint comprises an independent software/ 
HW object authentication.signature device (OASD). 

30. The system of claim 29, wherein the OASD comprises 
said means for assigning each fingerprint to a service tier. 

31. A digital set-top terminal, operating together with a 
multiple system cable operator system to provide authori- 
zation and access control of software object residing in the 
digital set-top terminal, the set-top terminal comprising: 

a system routine that is invoked whenever software object 
has been downloaded or is about to be utilized, 
wherein the system routine uses an association table/ 
message, created at the MSO and downloaded to the 
set-top terminal, to determine if the software object 
about to be invoked has been authorized for the 
set-top terminal, 
and further wherein the association table/message com- 
prises an encoded fingerprint to service tier associa- 
tion corresponding to the software object. 



05/12/2004, EAST Version: 1*4.1 



UNITED STATES PATENT AND TRADEMARK OFFICE 

CERTIFICATE OF CORRECTION 



PATENT NO. : 6,256,393 B I 
DATED : July 3, 2001 



Page 1 of 1 



INVENTOR(S) : Reem Safadi et al. 

It is certified that error appears in the above-identified patent and that said Letters Patent is 
hereby corrected as shown below: 



Column 5. 

Line 29, after "object)", insert ~ . --. 
Column 12. claim 29. 

Line 46, change "authenication.signature" to authentication/signature 



Signed and Sealed this 



Twenty-sixth Day of February, 2002 



Attest: 




JAMES E ROGAN 



Attesting Officer 



Director of the United States Patent caul Trademark Office 



05/12/2004, EAST Version: 1.4.1 



